{"id":13721264,"url":"https://github.com/EgeBalci/Amber","last_synced_at":"2025-05-07T13:32:09.910Z","repository":{"id":41156293,"uuid":"92883948","full_name":"EgeBalci/amber","owner":"EgeBalci","description":"Reflective PE packer.","archived":false,"fork":false,"pushed_at":"2024-02-22T17:44:19.000Z","size":6712,"stargazers_count":1179,"open_issues_count":5,"forks_count":207,"subscribers_count":46,"default_branch":"master","last_synced_at":"2024-10-29T17:54:47.865Z","etag":null,"topics":["amber","assembly","crypter","packer","payload","pe","shellcode","shellcode-loader","stub"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EgeBalci.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-30T23:10:05.000Z","updated_at":"2024-10-28T03:12:59.000Z","dependencies_parsed_at":"2022-07-14T23:30:38.748Z","dependency_job_id":"f7f8d220-1f1b-49da-852f-86ed8c811a2f","html_url":"https://github.com/EgeBalci/amber","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EgeBalci%2Famber","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EgeBalci%2Famber/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EgeBalci%2Famber/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EgeBalci%2Famber/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EgeBalci","download_url":"https://codeload.github.com/EgeBalci/amber/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224604863,"owners_count":17339221,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amber","assembly","crypter","packer","payload","pe","shellcode","shellcode-loader","stub"],"created_at":"2024-08-03T01:01:14.736Z","updated_at":"2024-11-14T10:31:19.578Z","avatar_url":"https://github.com/EgeBalci.png","language":"Go","funding_links":[],"categories":["Packers / Obfuscators"],"sub_categories":[],"readme":"\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./.github/img/banner.png\"\u003e\n  \u003cbr/\u003e\n  \u003ca href=\"https://github.com/EgeBalci/amber\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/version-3.2.0-green.svg?style=flat-square\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/egebalci/amber\"\u003e\n    \u003cimg src=\"https://goreportcard.com/badge/github.com/egebalci/amber?style=flat-square\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/EgeBalci/amber/issues\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/issues/egebalci/amber?style=flat-square\u0026color=red\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://raw.githubusercontent.com/EgeBalci/sgn/master/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/egebalci/amber.svg?style=flat-square\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://twitter.com/egeblc\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/twitter-@egeblc-55acee.svg?style=flat-square\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n# Inroduction\n\nAmber is a position-independent(reflective) PE loader that enables in-memory execution of native PE files(EXE, DLL, SYS...). It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application white-listing mitigations. Reflective payloads generated by Amber can either be staged from a remote server or executed directly in memory much like a generic shellcode. By default, every generated payload is encoded using the new generation [SGN encoder](https://github.com/EgeBalci/sgn). Amber uses [CRC32_API](https://github.com/EgeBalci/crc32_api) and [IAT_API](https://github.com/EgeBalci/iat_api) for inconspicuously resolving the Windows API function addresses. After the PE file is loaded and executed in memory, the reflective payload is erased for evading memory scanners. \n\n# Installation\nPre-compiled binaries can be found under [releases](https://github.com/EgeBalci/amber/releases).\n\n***Building From Source***\n\nThe only dependency for building the source is the [keystone engine](https://github.com/keystone-engine/keystone), follow [these](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE.md) instructions for installing the library. Once libkeystone is installed on the system, simply just go get it ツ\n\n```\ngo install github.com/EgeBalci/amber@latest\n```\n\n***Docker Install***\n\n[![Docker](http://dockeri.co/image/egee/amber)](https://hub.docker.com/r/egee/amber/)\n\n```\ndocker pull egee/amber\ndocker run -it egee/amber\n```\n\n# Usage\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./.github/img/usage.gif\"\u003e\n\u003c/p\u003e\n\nThe following table lists switches supported by the amber.\n\n\u003ctable border=\"1\"\u003e\n  \u003ctr\u003e\n    \u003cth\u003eSwitch\u003c/th\u003e\n    \u003cth\u003eType\u003c/th\u003e\n    \u003cth\u003eDescription\u003c/th\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-f,--file\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003estring\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eInput PE file.\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-o,--out\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003estring\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eOutput binary payload file name.\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eint\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eNumber of times to encode the generated reflective payload\u003c/td\u003e\n  \u003c/tr\u003e \n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e--iat\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ebool\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eUse IAT API resolver block instead of CRC API resolver block\u003c/td\u003e\n  \u003c/tr\u003e\n  \n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e-l\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003eint\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eMaximum number of bytes for obfuscation (default 5)\u003c/td\u003e\n  \u003c/tr\u003e  \n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e--sys\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ebool\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003ePerform raw syscalls. (only x64)\u003c/td\u003e\n  \u003c/tr\u003e  \n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e--scrape\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003e\u003cvar\u003ebool\u003c/var\u003e\u003c/td\u003e\n    \u003ctd\u003eScrape magic byte and DOS stub from PE.\u003c/td\u003e\n  \u003c/tr\u003e  \n  \n\u003c/table\u003e\n\n\n**Example Usage**\n\n- Generate reflective payload.\n```\namber -f test.exe\n```\n- Generate reflective payload with IAT API resolver and encode the final payload 10 times.\n```\namber -e 10 --iat -f test.exe\n``` \n\n***Docker Usage***\n```\ndocker run -it -v /tmp/:/tmp/ amber -f /tmp/file.exe\n```\n\n# Demo\n\n- [NOPcon 2018 DEMO](https://www.youtube.com/watch?v=lCPdKSH6RMc)\n- [Pentest.blog - Deploying Reflective PE Files With Metasploit](https://www.youtube.com/watch?v=3en0ftnjEpE)\n- [Pentest.blog - Deploying Reflective Ransomware POC](https://www.youtube.com/watch?v=JVv_spX6D4U)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEgeBalci%2FAmber","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FEgeBalci%2FAmber","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FEgeBalci%2FAmber/lists"}